0-day vulnerability in macOS exploited to attack visitors of Hong Kong news sites

Google analysts discovered that a group of government hackers deployed exploits to a 0-day macOS vulnerability on pro-democracy Hong Kong news sites that installed a backdoor on visitors’ computers.

Google does not associate the attackers with any particular country, only notes that the hack group is well resourced and probably supported by the state. Essentially, the hackers used a watering hole attack technique.

Such attacks are named by analogy with the tactics of predators who hunt at a watering hole, waiting for prey – animals that have come to drink. This term refers to attacks in which cybercriminals inject malicious code onto legitimate sites, where it waits for victims. Google experts say.

According to Google, the attacks began in August 2021. The exploit chain combined an RCE bug in WebKit (CVE-2021-1789, fixed January 5, 2021) with local privilege escalation in the XNU kernel component (CVE-2021-30869, fixed September 23, 2021).

Interestingly, Apple initially fixed this issue on devices running macOS Big Sur and it happened back on February 1, 2021. And only on September 23, 2021, the company released a separate update for devices based on macOS Catalina. The gap of 234 days between the two fixes only underlines the fact that vulnerabilities in different versions of the operating system can be exploited to their advantage.

It is known that in this case, the attackers used a chain of exploits to gain root access to macOS, and then downloaded and installed previously unknown MACMA or OSX.CDDS malware on victims’ machines. A detailed report on this malware can already be found in the blog of the well-known macOS security specialist Patrick Wardle.

Patrick Wardle
Patrick Wardle

The malware reportedly possessed traits typical of backdoors and spyware, namely:

  1. collected data about the device for its subsequent identification;
  2. took screenshots;
  3. worked as a keylogger;
  4. recorded local audio;
  5. could download and upload files;
  6. could execute terminal commands.

In fact, the exploit for the 0-day issue was public: it was presented by the Pangu Lab research group during a talk at zer0con21 in April 2021, as well as at the Mobile Security Conference (MOSEC) in July 2021. It is unclear when experts reported the vulnerability to Apple. It is likely that the company was simply late with the release of the patch, which allowed attackers to carry out their attacks.

The report also states that iOS users were also attacked, but the attackers used a different chain of exploits for them, which Google TAG specialists could not fully recover. We only know that the attacks used a framework based on the Ironsquirrel project (delivery of exploits to the browser), and also exploited an old remote code execution vulnerability (CVE-2019-8506).

Let me remind you that Chinese hackers use a new backdoor to spy on the country’s government from Southeast Asia, and also that Chinese authorities use AI to analyse emotions of Uyghur prisoners.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to top button